You are on page 1of 33

Serious VPN && !

(Serious Cost)
a.k.a. don't pay to “go-to-your-pc”

Jeremy Willden
Open Source Enthusiast
Ad Hoc Electronics
http://www.adhocelectronics.com/
Internet Security Issue: BGP spoof
● Border Gateway Protocol handles major routing
● Unencrypted traffic can be monitored or
modified from anywhere in the world

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html
Networking Overview
● Firewalls and NAT
Networking Overview
Networking Overview
Networking Overview
Networking Overview
Remote Access
● Problem: how to remote control your PC
● Partial Solution: VNC Server & Client
Remote Access
Remote Access
Remote Access
● Problem: how to remote control your PC
● Partial Solution: VNC Server & Client
● Google VNC or check sourceforge.net
● Use password authentication
● Port forwarding (5900) remote - insecure!
● Solution isn't complete
– It's not secure, only allows one service (port)
– Separate port for each client
Securely Connecting Networks
● Virtual Private Network (VPN)
● Data encrypted between networks
● Many closed and open-source alternatives
– Many get broken by NAT, or are limited by it
– Proprietary ones may only be obscure, not secure
● Ideal: open/free, well tested, reviewed
– Use the same code base as eCommerce, TLS/SSL
– Take it further: not just one service/port
Why OpenVPN?
● Uses OpenSSL (TLS)
– Heavily tested, SSL is used for HTTPS
– Many ciphers (Blowfish, AES 128/256, many more)
– Free as in Freedom
– Available ready to deploy on many platforms
● Linux/Mac/Windows
● Router (embedded) firmware
– Public Key Infrastructure
● Certificate revocation without re-keying
TLS (SSL) Handshake
● Random keys exchanged using public key
cryptography, prevents man-in-middle attacks

Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
TLS (SSL) Handshake

Image Copyleft Christian Friedrich, licensed under GFDL, with spelling corrections. Source: Wikimedia
General Setup-Linux
● http://openvpn.net/index.php/documentation/howto.html
● Pull down the source from openvpn.net
– http://www.oberhumer.com/opensource/lzo/download/lzo-2.03.tar.gz
– http://openvpn.net/release/openvpn-2.0.9.tar.gz
– Unzip/untar: tar -xzf ./lzo-2.03.tar.gz, tar -xzf ./openvpn-2.0.9.tar.gz
– “cd” into each folder, do ./configure, make, make install

● Use yum or apt-get (yum -y install openvpn)


● Download RPMs (including dependencies)
– rpm -ivh (path to each RPM, one at a time)
● chkconfig openvpn on (to auto-start)
General Setup-Windows
● Install Windows package from openvpn.net

<<== You need at least one virtual adapter

<<== All config files reside here

<<== Logs are useful for troubleshooting


Windows-OpenVPN GUI
● Roving computer (laptop)
OpenVPN as a service
● Desktop at home, always connected
OpenVPN as a service
● Desktop at home, always connected
Bridged VPN
● Broadcast traffic is forwarded through the VPN
● Allows service easy service discovery (virtual
Ethernet connection) netBIOS, Bonjour, etc.
● DHCP server shouldn't send a default gateway
to VPN clients
● VPN client IP addresses are in the same subnet
as the private network
Routed VPN
● Connect to other devices by IP address
(because broadcast traffic is blocked)
● Or set up DNS on both ends to include all
names
● VPN IP addresses are separate from both client
and server IPs
● Either way, you use the private, internal
addresses to connect to your private network
– All data encrypted through the tunnel
Implementation 1
● Routed VPN with public key infrastructure
● Generate your own keys/certificates
● Private IP range for VPN addresses
● Use a server with Apache, install a status page
– http://pablohoffman.com/software/vpnstatus/vpnstatus.txt
– PHP script that connects to the management port
server.conf (Implementation 1)
Port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.200.200.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.15.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 30 120
# Generate with: openvpn --genkey --secret ta.key
# The second parameter should be '0' on the server and '1' on the clients.
tls-auth ta.key 0
;cipher AES-128-CBC # AES
comp-lzo
max-clients 30 Also ensure that IP forwarding is enabled on the server, so
user nobody either run this in a startup script somewhere:
group nobody cat > 1 /proc/sys/net/ipv4/ip_forward
persist-key
persist-tun or edit your /etc/sysctl.conf file and make sure this line is
status /etc/openvpn/openvpn-status.log there (and not commented out)
log-append /etc/openvpn/openvpn.log net/ipv4/ip_forward=1
verb 4
;crl-verify keys/crl.pem
management localhost 7505
client1.conf (Implementation 1)
client
dev tun
proto udp
remote my.dyndns.name 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server Debug tool: ngrep (packet sniffer)
ngrep -d eth0 -Wbyline port 1194
tls-auth ta.key 1
comp-lzo
verb 3
Router Setup (Implementation 1)
OpenVPN on dd-wrt
● dd-wrt
– Open-source Linux-based router firmware
– “vpn” version includes openvpn
– Operates in client or server mode
● http://www.dd-wrt.com
● http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-
Site_routed_VPN_between_two_routers
dd-wrt router client configuration
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tun0 echo "****CERT CONTENTS****" > ca.crt
ifconfig tun0 0.0.0.0 promisc up
sleep 5 echo "****CERTIFICATE CONTENTS****" > client.crt
echo "client
daemon echo "****KEY CONTENTS***" > client.key
dev tun0
proto udp echo “***ta.key contents***” > ta.key
remote my.server.name 1194
resolv-retry infinite ./myvpn --config client.conf
tls-auth ta.key 1
nobind FIREWALL SCRIPT (REMOVE #COMMENTS):
persist-key iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
persist-tun #Allows VPN traffic out
ca ca.crt iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
cert client.crt #Allows VPN traffic in
key client.key iptables -I INPUT -i tun0 -j ACCEPT
ns-cert-type server # Allows VPN to connect to GUI
comp-lzo
verb 3
" > /tmp/client.conf
#CONTINUED NEXT COLUMN
dd-wrt router server changes
Add a client config file directory
mkdir /etc/openvpn/ccd

Create a client config file for each remote router (filename must match client name!)
nano -w /etc/openvpn/ccd/client2
iroute my.sub.net.addr 255.255.255.0

Modify the server.conf file and add these lines:


client-config-dir /etc/openvpn/ccd
route my.sub.net.addr 255.255.255.0

VITAL: make sure /etc/openvpn/ccd is world readable, along with all files inside!
Otherwise, the downgraded daemon won't be able to read the files.

You can also make each remote router's subnets available to the other routers, but it's a
bit more complicated – the ccd files may need to include a push-reset followed by a
push off all relevant parameters except for it's own route
Implementation 2
● Routed VPN with static keys
● Between two sites using dd-wrt routers
dd-wrt router 1 client configuration
# STARTUP SCRIPT
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
echo "remote REMOTEADDRESS
proto udp
port 2000
dev tun0 #FIREWALL SCRIPT
secret /tmp/static.key iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
verb 3 iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
comp-lzo iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
keepalive 15 60
daemon
" > SiteA-SiteB.conf
echo "
YOUR STATIC KEY
" > static.key
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.1
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
dd-wrt router 2 client configuration
# STARTUP SCRIPT
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
echo "proto udp
port 2000
dev tun0
secret /tmp/static.key #FIREWALL SCRIPT
verb 3 iptables -I INPUT 2 -p udp --dport 2000 -j ACCEPT
comp-lzo iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
keepalive 15 60 iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
daemon
" > SiteA-SiteB.conf
echo "
YOUR STATIC KEY
" > static.key
/tmp/myvpn --mktun --dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up
route add -net OTHERSUBNET netmask 255.255.255.0 gw 10.0.0.2
sleep 5
/tmp/myvpn --config SiteA-SiteB.conf
References
● http://www.openvpn.net
● http://openvpn.net/index.php/documentation/howto.html
● http://en.wikipedia.org/wiki/Secure_Sockets_Layer
● http://en.wikipedia.org/wiki/Transport_Layer_Security
● http://pbxinaflash.com/forum/showpost.php?p=12108&postcount=24